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Abstract. We propose a general security definition for cryptographic quantum protocols 
that implement classical non-reactive two-party tasks. The definition is expressed in terms 
of simple quantum-information-theoretic conditions which must be satisfied by the protocol 

to be secure. The conditions arc uniquely dctcimiiicd Iw the ideal functionality J- defining 
the cryptographic task to be implemented. We then show the following composition result. 
If quantum protocols TVi, . . . ,Tre securely implement ideal functionalities . . ,Tt accord- 
ing to our security definition, then any purely classical two-party protocol, which makes 
sequential calls to T\, . . . ,J-i, is equally secure as the protocol obtained by replacing the 
calls to J-\, . . . ,J-i with the respective quantum protocols tti, . . . , tt^. Hence, our approach 
yields the minimal security requirements which are strong enough for the typical use of 
quantum protocols as subroutines within larger classical schemes. Finally, we show that 
recently proposed quantum protocols for oblivious transfer and secure identification in the 
bounded-quantum-storage model satisfy our security definition, and thus compose in the 
above sense. 

Keywords: two-party quantum cryptography, composability, identification, oblivious trans- 
fer 



1 Introduction 

Background. Finding the right security definition for a cryptographic task is a non- 
trivial fundamental question in cryptography. From a theoretical point of view, one would 
like definitions to be as strong as possible in order to obtain strong composability guaran- 
tees. However, this often leads to impossibility results or to very complex and inefficient 
schemes. Therefore, from a practical point of view, one may also consider milder security 
definitions which allow for efficient schemes, but still offer "good enough" security. 

It is fair to say that in computational cryptography, the question of defining security 
and the trade-offs that come along with these definitions are by now quite well understood. 
The situation is different in quantum cryptography. For instance, it was realized only re- 
cently that the standard security definition of quantum key-agreement does not guarantee 
the desired kind of security and some work was required to establish the right security 
definition [GL03,RK05,BHL+05,Ren05,KRBM07]. In [BM04,Unr04], strong security def- 
initions for general quantum protocols were proposed by translating Canetti's universal- 
composability framework and Backes, Pfitzmann and Waidner's reactive-simulatability 
model, respectively, into the quantum setting. The resulting security definitions are very 
strong and guarantee full composability. However, they are complex and hard to achieve. 
Indeed, so far they have been actually used and shown to be achievable only in a couple of 
isolated cases: quantum key distribution [BHL+05] and quantum multi-party computation 
with dishonest minority [BCG'''05]. It is still common practice in quantum cryptography 
that every paper proposes its own security definition of a certain task and proves security 
with respect to the proposed definition. However, it usually remains unclear whether these 
definitions are strong enough to guarantee any kind of composability, and thus whether 
protocols that meet the definition really behave as expected. 



Contribution. We propose a general security definition for quantum protocols that 
implement cryptographic two-party tasks. The definition is in terms of simple quantum- 
information-theoretic security conditions that must be satisfied for the protocol to be 
secure. In particular, the definition does not involve additional entities like a "simula- 
tor" or an "environment". The security conditions are uniquely determined by the ideal 
functionality that defines the cryptographic task to be realized. Our definition applies to 
any non-reactive, classical ideal functionality J^, which obtains classical (in the sense of 
non-quantum) input from the two parties, processes the provided input according to its 
specification, and outputs the resulting classical result to the parties. A typical example 
for such a functionality/task is oblivious transfer (OT). Reactive functionalities, i.e. func- 
tionalities that have several phases (like e.g. bit commitment), or functionalities that take 
quantum input and/or produce quantum output are not the scope of this paper. 

We show the following composition result. If quantum protocols tti, . . . ,7r^ securely 
implement ideal functionalities T\^. . . ^Ti according to our security definition, then any 
purely classical two-party protocol, which makes sequential calls to J^i, . . . , J^£, is equally 
secure as the protocol obtained by replacing the calls to J^i, . . . ,J^£ with the respective 
quantum subroutines 7ri,...,7r^. We stress that our composition theorem, respectively 
our security definition, only allows for the composition of quantum sub-protocols into a 
classical outer protocol. This is a trade-off which allows for milder security definitions 
(which in turn allows for simpler and more efficient implementations) but still offers 
security in realistic situations. Indeed, current technology is far from being able to execute 
quantum algorithms or protocols which involve complicated quantum operations and/or 
need to keep a quantum state "alive" for more than a tiny fraction of a second. Thus, 
the best one can hope for in the near future in terms of practical quantum algorithms 
is that certain small subroutines, like key-distribution or OT, may be implemented by 
quantum protocols, while the more complex outer protocol remains classical. Prom a more 
theoretical point of view, our general security definition expresses what security properties 
a quantum protocol must satisfy in order to be able to instantiate a basic cryptographic 
primitive upon which an information-theoretic cryptographic construction is based. For 
instance, it expresses the security properties a quantum OT-*^ needs to satisfy so that 
Kilian's classical^ construction of general secure function evaluation based on OT [Kil88] 
remains secure when instantiating the OT primitive by a quantum protocol. Alternatively, 
our security conditions can also be viewed as providing the minimal requirements for a 
quantum protocol to behave as expected. 

Finally, we show that the ad-hoc security definitions proposed by Damgard, Fehr, 
Salvail and Schaffner for their 1-2 OT and secure-identification protocols in the bounded- 
quantuni-storage model [DFR"'"07,DFSS07] imply (and are likely to be equivalent) to the 
corresponding security definitions obtained from our approach.^ This implies compos- 
ability in the above sense for these quantum protocols in the bounded-quantum-storage 
model. 



^ Wc arc well aware that quanturri OT is impossible without any restriction on the adversary, but it 
becomes possible for instance when restricting the adversary's quantum memory [DFSS05,DFR+07]. 

^ Here, "classical" can be understood as "non-quantum" as well as "being a classic" . 

^ Interestingly, this is not true for the definition of Rabin OT given in the first paper in this line of 
research [DFSS05], and indeed in the full version of that paper, it is mentioned that their definition poses 
some "composability problems" (this problem though has been fixed in the journal version [DFSS08]). 
This supports our claim that failure of satisfying our security definition is strong evidence for a security 
problem of a quantum protocol. 
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Related work. In the classical setting, Crepeau, Savvides, SchafFner and WuUschleger 
proposed information-theoretic conditions for two-party secure function evaluation [CSSW06], 
though restricted to the perfect case, where the protocol is not allowed to make any er- 
ror. They show equivalence to a simulation-based definition that corresponds to the stan- 
dard framework of Goldreich [Gol04] . Similar conditions have been subsequently found by 
Crepeau and WuUschleger for the case of non-perfect classical protocols [CW08]. Our work 
can be seen as an extension of [CSSW06,CW08] to the setting where classical subroutines 
are implemented by quantum protocols. 

As pointed out and discussed above, general frameworks for universal composability 
in the quantum setting have been established in [BM04,Unr04]. The composability of pro- 
tocols in the bounded-quantum-storage model has recently been investigated by Wehner 
and WuUschleger [WW08]. They propose security definitions that guarantee sequential 
composability of quantum protocols within quanf,um, protocols. This is clearly a stronger 
composition result than wc obtain (though restricted to the bounded-quantum-storage 
model) but comes at the price of a more demanding security definition. And indeed, 
whereas we show that the simple definitions used in [DFSS05,DFR+07] already guarantee 
composability into classical protocols without any modifications to the original parame- 
ters and proofs, [WW08] need to strengthen the quantum-memory bound (and re-do the 
security proof) in order to show that the 1-2 OT protocol from [DFR+OT] meets their 
strong security definition. As we argued above, this is an overkill in many situations. 

2 Notation 

Quantum States. We assume the reader's familiarity with basic notation and concepts 
of quantum information processing [NCOO]. 

Given a bipartite quantum state pxE^ wc say that X is classical if pxE is of the form 
pxE = X^TeA" Px{x)\o[^{x\ C5 p% for a probability distribution Px over a finite set X . This 
can be understood in that the state of the quantum register E depends on the classical 
random variable X, in the sense that E is in state p^^ exactly ii X = x. For any event £ 
defined by Ps\x{x) = P[£\X = x\ for all x, we may then write 

PxE\£-=^Px\e{x)\x){x\® p% . (1) 

X 

When we omit registers, wc mean the partial trace over these register, for instance Pe\s = 
trxipxEls) = Px\£i^)PE^ which describes E given that the event £ occurs. 

This notation extends naturally to states that depend on several classical random 
variables X, Y etc., defining the density matrices pxYE, Pxye\s^ Pye\x=x ^tc. We tend 
to slightly abuse notation and write py^ = PxE\x=x Pye\£ ~ Pye\x=x,Si ^ well as 
/9|n = try(py^) and = try(py^|^). Given a state pxE with classical X, by saying 
that "there exists a classical random variable Y such that pxY E satisfies some condition" , 
we mean that pxE can be understood &s pxE = try(pxyE) for some state pxYE with 
classical X and Y, and that pxYE satisfies the required condition.^ 

X is independent of E (in that p^^ does not depend on x) if and only \l pxE = Px®Pe-, 
which in particular implies that no information on X can be learned by observing only 
E. Similarly, X is random and independent of E if and only if pxE = ® Pe, where 
is the density matrix of the fully mixed state of suitable dimension. 

This is similar to the case of distributions of classical random variables where given X the existence of 
a certain Y is understood that there exists a certain joint distribution Pxy with ^ Pxy(-,2/) = Px- 
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Wc also need to express that a random variable X is independent of a quantum 
state E when given a random variable Y . This means that when given Y , the state E 
gives no additional information on X. Yet another way to understand this is that E is 
obtained from X and Y by solely processing Y. Formally, adopting the notion introduced 
in [DFSS07], this is expressed by requiring that pxYE equals px*-*Y*-*E, where the latter 
is defined as 

px^Y^E ■■= XI Pxy{x, y) \x){x\ ® \y){y\ ® p| . 

In other words, pxYE = Px^y^e precisely if = p^^ for all x and y. This notation 
naturally extends to px^Y^E\£ = Y.x,y PxY\£{x,y)\x){x\ (g) \y){y\ (g) 

Full (conditional) independence is often too strong a requirement, and it usually suf- 
fices to be "close" to such a situation. Closeness of two states p and a is measured in 
terms of their trace distance S{p,a) = |tr(|p — a\), where for any operator A, \A\ is 
defined as \A\ := V AA^ . We write p ^£ a to denote that S{p, a) < s, and we then say 
that p and a are e-closc. It is known that e-closeness is preserved under any quantum 
operation; this in particular implies that if /? ~£ o" then no observer can distinguish p 
from a with advantage greater than e [RK05]. For states pxE and px'E' with classical 
X and X', it is not hard to see that 6{pxE, Px'E') = J2x^i-^x{x)p%, Px'{x)p%i), and 
thus S{pxE, px'E') = Ylx ^x{x)S{p^, p^,) if Px = Px'- In case of purely classical states 
px and px', the trace distance coincides with the statistical distance of the random vari- 
ables X and X': 6{px,Px') = ^ Ylx l-^-^(^) ~ Px'{x)\, and we then write Px ~£ Px', or 
X X', instead of px ~£ px'- 

We will make use of the following lemmas whose proofs are given in Appendix A. 

Lemma 2.1. 1. If pxYZE ~£ Px^y^ze then pxYZE ~2£ Px^yz^e- 

2- If pxzE ~£ px <g> PZE then pxzE ~2£ Px^z^e- 

3- If pxzE ~£ I/l-^l <g PzE, then pxzE ~4£ Px^z^e- 

Lemma 2.2. If pxYE ~£ px^Y^E then px f(x,Y)YE ~£ Pxf{x,Y)^Y^E for any function 
/■ 

Lemma 2.3. For an event £ which is completely determined by the random variable Y , 
i.e. for all y, the probability Pr[£^|y = y] either vanishes or equals one, we can decompose 
the density matrix px<^Y'^E into^ 

pX^Y^E = Pr[£^] • Px^Y^E\£ + Pr[F] • px^Y^E\E ■ 

3 Protocols and Functionalities 

Quantum Protocols. We consider two-party quantum protocols vr = (A, B), consisting 
of interactive quantum algorithms A and B. For convenience, we call the two parties who 
run A and B Alice and Bob, respectively. There are different approaches to formally define 
interactive quantum algorithms and thus quantum two-party protocols, in particular when 
we restrict in- and outputs (of honest participants) to be classical. For instance such a 
formalization can be done by means of quantum circuits, or by means of a classical Turing 
machine which outputs unitaries that are applied to a quantum register. For our work, the 

® One is tempted to think that such a decomposition holds for any event £\ however, this is not true. See 
Lemma 2.1 of [DFSS07] for another special case where the decomposition does hold. 
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specific choice of the formahzation is immaterial; what is important is that sucli a two- 
party quantum protocol, formalized in whatever way, uniquely specifies its input-output 
behavior. Therefore, in this work, we capture quantum protocols by their input-output 
behavior, which we formalize by a quantum operation, i.e. a trace-preserving completely- 
positive map, which maps the common two-partite input state p^y to the common two- 
partite output state pxY- We denote this operation by pxY = Puv when we want 
to emphasize that tt is executed by honest Alice and Bob, also by pxY = '^a,b Puv 
of the players, say Bob, is dishonest and follows a malicious strategy B', then we slightly 
abuse notation and write tta.b' for the corresponding operator. 

Protocols and Functionalities with Classical In- and Output. In this work, we 
focus on quantum protocols tt = (A, B) with classical in- and output for the honest players. 
This means that we assume the common input state pfjy to be classical, i.e. of the 
form pjjy = Yluv '^uviu,v)\u){u\ fS> \v){v\ for some probability distribution PuVi ^-nd the 
common output state pxv = 7rA,B Puv then guaranteed to be classical as well, i.e., 
PxY = J2x y Pxy{x, y)\x){x\ (g) \y){y\- In this case we may understand U and V as well as 
X and Y as random variables, and we also write {X, Y) = tt{U, V). Note that the input- 
output behavior of the protocol is uniquely determined by the conditional probability 
distribution Pxy\uv- If of players, say Bob, is dishonest and follows a malicious 
strategy B', then we may allow his part of the input to be quantum and denote it as V', 
i.e. Pjjyi = Ylu ■^u{u)\u){u\ (8) Py,^jj^^, and we allow his part Y' of the common output 
state pxY' = 7i"A,B' Puyi to be quantum, i.e. pxY' = ® Py'\x=x- We write 

Pjjyi as = Pu P(D ~ Pu ^f ^' 6™Pty) i-e. if B' has no input at all, and we write it 
as pjjzv ^f P^^^ °f input, Z, is actually classical. 

A classical non-reactive two-party ideal functionality T is given by a conditional prob- 
ability distribution PT{uy)\UV ^ inducing a pair of random variables (X, y) = TiJJ^ for 
every joint distribution of U and V . We also want to take into account ideal functionali- 
ties which allow the dishonest player some additional — though still limited — possibilities 
(as for instance in Section 6 or 7). We do this as follows. We specify T not only for the 
"proper" domains hi and V, over which U and V arc supposed to be distributed, but we 
actually specify it for some larger domains lA^lA and V 2 V. The understanding is that 
JJ and V provided by honest players always lie in U and V, respectively, whereas a dishon- 
est player, say Bob, may select V from V \ V, and this way Bob may cause if specified 
that way, to process its inputs differently and/or to provide a "more informative" output 
Y to Bob. For simplicity though, we often leave the possibly different domains for honest 
and dishonest players implicit. 

We write (X^Y) = jF^g(L'", or pxY = ^k^Puv ^^"^ execution of the "ideal- 
life" protocol, where Alice and Bob forward their inputs to T and output whatever they 
obtain from T . And we write pxY' = B' Puv execution of this protocol with a 

dishonest Bob with strategy B' and quantum input V . Note that Bob's possibilities are 
very limited: he can produce some classical input V for T (distributed over V) from his 
input quantum state F', and then he can prepare and output a quantum state Y' which 
might depend on JT's reply Y . 

Clsissical Hybrid Protocols. A two-party classical hybrid protocol JJ-^i-'-^e- = (A, B) 

between Alice and Bob is a protocol which makes a bounded number k of sequential 
oracle calls to possibly different ideal functionalities . . . ^Tg. Wc allow A and B to 
make several calls to independent copies of the same Ti^ but we require from Yl^'^'''^t 
that for every possible execution, there is always agreement between A and B on when to 
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call which functionality; for instance we may assume that A and B exchange the index i 
before they call J-'i (and stop if there is disagreement) . 

Formally, such a classical hybrid protocol is given 
by a sequence of /c + 1 quantum protocols formalized 
by quantum operators with classical in- and output 
for the honest players, see Figure 1. For an honest 
player, say Alice, the j-th protocol outputs an index 
i indicating which functionality is to be called, classi- 
cal auxiliary (or "state") information information Sj 
and a classical input Uj for Ti. The (j + l)-st protocol 
expects as input Sj and Alice's classical output Xj 
from J^i. Furthermore, the first protocol expects Al- 
ice's classical input U to the hybrid protocol, and the 
last produces the classical output X of the hybrid pro- 
tocol. In case of a dishonest player, say Bob, all in- and 
outputs may be quantum states Vj respectively Yj. By 
instantiating the j-th call to a functionality T (where 
we from now on omit the index for simpler notation) 
in the obvious way by the corresponding "ideal-life" 
protocol g (respectively T^, g or g, in case of 
a dishonest Alice or Bob), we obtain the instantiated 
hybrid protocol formally described by quantum oper- 
ator Uf^r^' (respectively ^jf^^^' or Sf'.;^').^ 

A,B ^ ^ A',B A,B' ' 

For the hybrid protocol to be classical, we mean 
that it has classical in- and output (for the honest players), but also that all commu- 
nication between Alice and Bob is classical.^ Since we have not formally modeled the 
communication within (hybrid) protocols, we need to formalize this property as a prop- 
erty of the quantum operators that describe the hybrid protocol: Consider a dishonest 
player, say Bob, with no input, and consider the common state PSjUjV ™y point dur- 
ing the execution of the hybrid protocol when a call to functionahty Ti is made. The 
requirement for the hybrid protocol to be classical is now expressed in that there ex- 
ists a classical Zj — to be understood as consisting of B"s classical communication with 
A and with the ^j/'s up to this point — such that given Zj, Bob's quantum state V- is 
uncorrelated with (i.e. independent of) Alice' classical input and auxiliary information: 
PSjUjZjV = PSjUj'^Zj'^v' ■ Furthermore, we require that we may assume Zj to be part of 
Vj in the sense that for any B' there exists B" such that Zj is part of Vj. This definition 
is motivated by the observation that if Bob can communicate only classically with Alice, 
then he can correlate his quantum state with information on Alice's side only by means 
of the classical communication. 

We also consider the protocol we obtain by replacing the ideal functionalities by 

quantum two-party sub-protocols tti, . . . ,it£ with classical in- and outputs for the hon- 
est parties: whenever ^^^'-^i instructs A and B to execute ^i^^Q, they instead execute 
TTj = (Ai,Bi) and take the resulting outputs. We write X!'^^""^^ = (A, B) for the real 
quantum protocol we obtain this way. 



Fig. 1. Hybrid protocol U' 



Note that for simpler notation, wo are a bit sloppy and give the same name, like A and B', to honest 
Alice's and dishonest Bob's strategy within diflferent (sub)protocols. 

We do not explicitly require the internal computations of the honest parties to be classical. 
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4 Security for Two-Party Quantum Protocols 

4.1 The Security Definition 

Framework. We use the fohowing framework for defining security of a quantum proto- 
col TT with classical in- and output. We distinguish three cases and consider the respective 
output states obtained by executing tt in case of honest Alice and honest Bob, in case 
of honest Alice and dishonest Bob, and in case of dishonest Alice and honest Bob. For 
each of these cases wc require some security conditions on the output state to hold. More 
precisely, for honest Alice and Bob, we fix an arbitrary joint probability distribution Pjjy 
for the inputs U and V, resulting in outputs {X,Y) = TrA,B{U,V) with a well defined 
joint probability distribution PuvxY- For an honest Alice and a dishonest Bob, we fix an 
arbitrary distribution Pu for Alice's input and an arbitrary strategy B' with no input for 
Bob, and we consider the resulting joint output state 

PuxY' = (idc/ (8) tta,b')puu$ = X] Pu{u)\u){u\ (g) 7rA,B'(l'")(^l<^P0) 

u 

augmented with Alice's input U, where U and X arc classical and Y' is in general quan- 
tum. And, correspondingly, for a dishonest Alice and an honest Bob, we fix an arbitrary 
distribution Py for Bob's input and an arbitrary strategy A' with no input for Alice, and 
we consider the resulting joint output state 

Pvx'Y = (idy (8)7rA',B)py0F = XI -^^(^)I^X^I ^a',b(P0<^|^^)(^^|) 

V 

augmented with Bob's input V. Then, security is defined by specific information-theoretic 
conditions on PuvxY, PuxY' and pvx'Y, where the conditions depend on the functionality 
which TT is implementing. Definition 4.1 below for a general functionality J^, as well as 
the definitions studied later for specific functionalities (Definitions 6.1, 7.1 etc.), are to be 
understood in this framework. In particular, the augmented common output states are to 
be understood as defined above. 

We stress once more that the framework assumes that dishonest players have no input 
at all. This might appear too weak at first glance; one would expect a dishonest player, say 
Bob, to at least get the input V of the honest Bob. The justification for giving dishonest 
players no input is that on the one hand, we will show that this "minimalistic approach" 
is good enough for the level of security we are aiming for (see Theorem 5.1), and on the 
other hand, our goal is to keep the security definitions as simple as possible. 

Restricting the Adversary. Since essentially no interesting two-party task can be im- 
plemented securely by a quantum protocol against unbounded quantum attacks [May97,LC97,Lo97,Kit03], 
one typically has to put some restriction upon the dishonest player's capabilities. One such 
restriction, which proved to lead to interesting results, is to limit the quantum-storage 
capabihties of the dishonest player [DFSS05,DFR+07,DFSS07,WST07], but one can also 
consider other restrictions like a bound on the size of coherent measurements dishonest 
players can do [Sal98]. 

Throughout, we let 21 and *B be subfamilies of all possible strategies A' and B' of a dis- 
honest Alice and a dishonest Bob, respectively. In order to circumvent some pathological 
counter examples, we need to assume the following two natural consistency conditions on 
21, and correspondingly on If a dishonest strategy A' G 21 expects as input some state 
Pzu' with classical Z, then for any z and for any pu'\z=zj the strategy A^^^^, ^_ , which 
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has z hard-wired and prepares the state Pui\z=z initial step but otherwise runs hke 

A', is in 21 as well. And, if A' € 21 is a dishonest strategy for a protocol Z"^ which makes 
a call to a sub-protocol tt, then the corresponding "sub-strategy" of A', which is active 
during the execution of tt, is in 2t as well. 

Defining Security. Following the framework described above, we propose the following 
security definition for two-party quantum protocols with classical in- and output. The 
justification for the proposed definition is that it implies strong simulation-based security 
when using quantum protocols as sub- protocols in classical outer protocols (Theorem 5.1), 
yet the definition is expressed in a way that is as simple and as weak as (seemingly) 
possible, making it as easy as possible to design and prove quantum cryptographic schemes 
secure according to the definition. 

Definition 4.1. A two-party quantum protocol it e-securely implements an ideal classical 
functionality T against 21 and 53 if the following holds: 

Correctness: For any joint distribution of the input U and V , the resulting common 
output (X, Y) = ^{U, V) satisfies 

{U,V,X,Y) {U,V,J^iU,V)). 

Security for Alice: For any B' € 5S (with no input), and for any distribution ofU, the 
resulting common output state puxv ( augmented with U) is such that there exisf' 
classical random variables V and Y such that 

Puv ~£ Pu ■ Pv, {U, V, X, Y) {U, V, J^{U, V)) and puxvYV ~£ Pux^VY^v ■ 

Security for Boh: For any A' G 21 (with no input), and for any distribution of V , the 
resulting common output state pvx'Y (augmented with V) is such that there exist 
classical random variables U and X such that 

Puv ~£ Pu ■ Pv, {U, V, X, Y) {U, y, J^{U, V)) and pvvuxx' ~£ pvv^ux^x' ■ 

The three conditions for dishonest Bob (and similarly for dishonest Alice) express that, 
up to a small error, V is independent of U, X and Y are obtained by applying J^, and 
the quantum state Y' is obtained by locally processing V and Y. 

4.2 Equivalent Formulations 

As already mentioned, Definition 4.1 appears to guarantee security only in a very restricted 
setting, where the honest player has no information beyond his input, and the dishonest 
player has no (auxiliary) information at all. Below, we argue that Definition 4.1 actually 
implies security in a somewhat more general setting, where the dishonest player is allowed 
as input to have arbitrary classical information Z as well as a quantum state which only 
depends on Z. For completeness, although this is rather clear, we also argue that not 
only the honest player's input is protected, but also any classical "side information" S he 
might additionally have but does not use. 

* as defined in Section 2. 
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Proposition 4.2. Let n be a two-party protocol that e-securely implements J- against 21 
and *B. Let B' G 53 6e a dishonest Boh who takes as input a classical Z and a quantum 
state V' and outputs (the same) Z and a quantum state Y' . Then, for any Psuzv 
Psuzv ~ Psu^z^v ' resulting overall output state (augmented with S and U) 

PsuxzY' = {^Asu®T^k,&)psuuzv> = ^ Psuz{s,u, z)\s,u){s,u\mA,B'{\u){u\®\z){z\®py,\z=z) 

s,u,z 

is such that there exist classical random variables V and Y such that Psuzv ~£ Psu^z^v, 
{S,U,V,X,Y,Z) {S,U,V,J^{U,V),Z) and p SUXVY ZY' = Psux^vyz^y'- The corre- 
sponding holds for a dishonest Alice. 

Proof. It is rather clear that we can extend the setting from Definition 4.1 by S: We 
can view 5 as an additional input to J^., provided by Alice besides ?7, which is simply 
ignored by J-. Definition 4.1 then immediately implies that the common output state 
PSUXY' allows V and Y such that Psuv -e PsuPv, {S, U, V, X, Y) «e {S, U, V, J^{U, V)) 

and PSUXVYY' ~£ PSUX^VY^Y' ■ 

Consider now a dishonest Bob who holds some classical auxiliary information Z. Ap- 
plying Definition 4.1 with the above observation to the distribution Psu\z=z the 
dishonest Bob who has z hard-wired and locally prepares ^^.^ = Py/j^^^ im- 

plies that the conditioned common output state PsuxY'\z=z allows V and Y such that 

PsUV\Z=z ~£ PsU\Z=zPv\Z=z^ PsUVXY\Z=z ~£ PsUVr{Uy)\Z=z PSUXVYV'\Z=Z ~£ 

Psux^VY^V'\z=z- As the above holds for any z, it follows that Psuzv ~£ Psu^z^v, 
PsuvxYZ ~£ PsuvT{u,v)z as well as that 

PSUXVYZY' = ^ Pz{z)\z){z\ (g) PSUXVYY'\Z=Z 

z 

~£ X] Pz{z)\z){z\ (g) PSUX^VY*-^Y'\Z=z 

z 

= ^Pz{z)\z){z\(gi X PsuxvY\z{s,u,x,v,y\z)\suxvy){suxvy\p'^,^ 

z suxvy 

= X PsuxvYz{s,u,x,v,y,z)\suxvyz){suxvyz\p^,'' 

suxvyz 
= PSUX<-*VYZ<-*Y' ■ 

□ 

Note the restriction on the adversary's quantum input V', namely that it is only 
allowed to depend on the honest player's input U (and side information S) "through" 
Z. It is this limitation which prohibits quantum protocols satisfying Definition 4.1 to 
securely compose into outer quantum protocols but requires the outer protocol to be 
classical. Indeed, within a quantum protocol that uses quantum communication, a dis- 
honest player may be able to correlate his quantum state with classical information on 
the honest player's side; however, within a classical protocol, he can only do so through 
the classical communication so that his state is still independent when given the classical 
communication. 

The following proposition shows equivalence to a simulation-based definition; this will 
be a handy formulation in order to prove the composition theorem. 

Proposition 4.3. Let n be a two-party protocol that e-securely implements T against 21 
and 58. Let B' G OS &e a dishonest Bob who takes as input a classical Z and a quantum 
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state V , engages into tt with honest Alice and outputs Z and a quantum state Y' . Then, 
for any Pguzv Psuzv ~ Psu^r^z^v ^^^f^ exists B' such that 

(ids ® '^A,B') Psuzv ~3£ (ids ® ^A,B') Psuzv ■ 

The corresponding holds for a dishonest Alice. 

Proof. Given that Z = z, B' samples v according to the distribution Pv\z=zi ^^iif^ sends it 
to in order to receive output y. Then, B' prepares and outputs the quantum state Pyi^ . 
The resulting common output state psuxzY' (augmented with S and U) is as follows. 

PsuxzY' = ^ Psuz{s, u, z) ^ Pv\z{v\z) ^ Pt{u,v)\uv{x, y\u, v)\s, u, x, z){s, u, x, zlp'^f 

s,u,z V x,y 

~£ X] Psuvz{s,u,v,z)^Pjr^uy)\uv{x,y\u,v)\s,u,x,z){s,u,x,z\p^,^ 

s,u,v,z x,y 

= X] Psuvz{s, u, V, z) X Pj^{u,v)\suvz{x, y\s, u, v, z)\s, u, x, z){s, u, x, z\p^,'' 

s,u,v,z x,y 

~£ XI PsuvxYz{s,u,v,x,y,z)\s,u,x,z){s,u,x,z\p'^,^ 

s,u,v,x,y,z 
= PSUX*-*Z<-*Y' ~£ PSUXZY' ■ 

□ 

Recall that J-^^ g, is the execution of the "ideal-life" protocol, where honest A relays in- 
and outputs, and the only thing dishonest B' can do is modify the input and the output. 
Note that we do not guarantee that B' is in *B; we will comment on this after Theorem 5.1. 

5 Composability 

We show the following composition result. If quantum protocols tti, . . . ,7r^ securely im- 
plement ideal functionalities J^i, . . . according to Definition 4.1, then any two-party 
classical hybrid protocol Z'-^i' -'-^^ which makes sequential calls to J^i,...,J^i is essen- 
tially equally secure as the protocol obtained by replacing the calls to J-i, . . . hy the 
respective quantum subroutines tti, . . . , tt^. 

We stress that the JTj's are classical functionalities, i.e., even a dishonest player A' or 
B' can only input a classical value to J^i, and for instance cannot execute J^i with several 
inputs in superposition. This makes our composition result stronger, because we give the 
adversary less power in the "ideal" (actually hybrid) world. 

Theorem 5.1 (Composition Theorem). Let = (A, B) he a classical two-party 

hybrid protocol which makes at most k oracle calls to the functionalities, and for every 
i G {1, ...,£}, let protocol iTi be an e-secure implementation of J^i against 21 and Si. Then, 
the following holds. 

Correctness: For every distribution of U and V 

^{^l^^^'Puv^^^]^'^'Puv) <ks. 

Security for Alice: For every B' G 58 there exists B' such that for every distribution 
ofU 

s{lJl]s,'''Pu$,^Z^f'Pu$)<^ke. 
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Security for Bob: For every A' G 21 there exists A' such that for every distribution of V 

Before going into the proof, we would like to point out the following observations. First 
of all, note that the quantification is such that the dishonest hybrid adversary B' (and 
correspondingly A') does not depend on the distribution of the honest player's input U, 
and as such we do not need to assume that the adversary knows the honest player's input 
distribution. 

Also note that in contrast to typical composition theorems, which per-se guarantee 
security when replacing one functionality by a sub-protocol and where in case of several 
functionalities security then follows by induction, Theorem 5.1 is stated in such a way 
that it directly guarantees security when replacing all functionalities by sub-protocols. The 
reason for this is that the assumption that the outer protocol is classical is not satisfied 
anymore once the first functionality is replaced by a quantum sub-protocol, and thus 
the inductive reasoning does not work directly. We stress that our composition theorem 
nevertheless allows for several levels of compositions (see Corollary 5.2 and the preceding 
discussion) . 

Furthermore, note that we do not guarantee that the dishonest hybrid adversary B' is 
in 05 (and similarly for A') . For instance the specific B' we construct in the proof is more 
involved with respect to classical resources (memory and computation), but less involved 
with respect to quantum resources: essentially it follows B', except that it remembers 
all classical communication and except that the actions during the sub-protocols are 
replaced by sampling a value from some distribution and preparing a quantum state 
(of a size that also B' has to handle); the descriptions of the distribution and the state 
have to be computed by B' from the stored classical communication. By this, natural 
restrictions on B' concerning its quantum capabilities propagate to B'. For instance if B' 
has a quantum memory of bounded size, so has B'. Furthermore, in many cases the classical 
hybrid protocol is actually unconditionally secure against classical dishonest players and 
as such in particular secure against unbounded quantum dishonest players (because every 
dishonest quantum strategy can be simulated by an unbounded classical adversary), so 
no restriction on B' is needed. 

Finally, note that we do not specify what it means for the hybrid protocol to be secure; 
Theorem 5.1 guarantees that whatever the hybrid protocol achieves, essentially the same 
is achieved by the real-life protocol with the oracle calls replaced by protocols. But of 
course in particular, if the hybrid protocol is secure in the sense of Definition 4.1, then so 
is the real-life protocol, and as such it could itself be used as a quantum sub-protocol in 
yet another classical outer protocol. 

Corollary 5.2. // U^^-^e is a S-secure im,plementation of Q against 21 and 55, and if 
TTi is an e-secure implementation of Fi against 21 and 05 for every i G {1,...,£}, then 
jj-iri—TTe ^ (5 +3ke) -secure implementation ofQ. 

Proof (of Theorem 5.1). Correctness is obvious. We show security for Alice; security for 
Bob can be shown accordingly. Consider a dishonest B'. First we argue that for every 
distribution for Alice's input U, there exists a B' as claimed (which though may depend 
on Pu)- Then, in the end, we show how to make B' independent of Pjj. 

Let A's input U be arbitrarily distributed. We prove the claim by induction on k. The 
claim holds trivially for protocols that make zero oracle calls. Consider now a protocol 
^J^i-J^i with at most A; > oracle calls. For simplicity, we assume that the number of 
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oracle calls equals k, otherwise we instruct the players to makes some "dummy calls" . Let 
p^^^^y, be the common state right before the k-th and thus last call to one of the sub- 
protocols TTi, . . . , 7r£ in the execution of the real protocol To simplify notation in 
the rest of the proof, we omit the index k and write Pg^y, instead; see Figure 2. We know 
from the induction hypothesis for A;— 1 that there exists B' such that pgjjy, ^3{k-i)e ^suv' 
where c^^y/ is the common state right before the k-th call to a functionality in the 
execution of the hybrid protocol -^^^g^ • described in Section 3, S, U and V' are 
to be understood as follows. S denotes A's (respectively A's) classical auxiliary information 
to be "remembered" during the call to the functionality. U denotes A's (respectively A's) 
input to the sub-protocol (respectively functionality) that is to be called next, and V' 
denotes the dishonest player's current quantum state. For simplicity, we assume that the 
index i, which determines the sub-protocol tTj (functionality J^i) to be called next, is fixed 
and we just write tt and T for TTi and Ti, respectively. If this is not the case, we consider 
Psuv'\I-i '^SUV'\i=i instead, and reason as below for any i, where I denotes the index 
of the sub-protocol (functionality) to be called. Note that conditioning on / = z means 
that we allow B' to depend on i, but this is legitimate since / is known to the dishonest 
party. 



AB' 



Til 



Psuv 



^ SUV 



J PSXY' 



Fig. 2. Steps of the Composability Proof 

Consider now the evolution of the state (^gyyt when executing Tj^ g, (as prescribed 
by the hybrid protocol) with a strategy for B' yet to be determined and when executing 
^A,B' instead. Let cy^xY' ^^'^ '^SXY' denote the corresponding states after the execution 
of respectively tta.b' and Tf^ g,, see Figure 2. We show that o§xY' and Tgxy, are Se-close; 
this then proves the result by the fact that evolution does not increase the trace distance 
and by the triangle inequality: 

PsxY' = (ids ® 7rA,B') Psuv' ~3(ifc-i)£ (ids <^ 7rA,B') f^suv' = ^SXY' 

~3£ '''SXY' = (ids ® -^A.B') '^SUV' ' 

Let ag^2v/^ '^SXZY' ^^d TgxzY' be the extensions of the respective states a^^y,^ 
(TgxY' and TgxY' when we also consider Z (which collects the classical communication 
dictated by Y,^^-^^^ as well as B"s classical inputs to and outputs from the previous oracle 
calls), which is guaranteed to exist by our formalization of a classical hybrid protocol, so 
that Z is without loss of generality contained in V' and a^jj^v/ — '^sO^z^V'' 
follows from Proposition 4.3 that crgxzY' ^^d Tgx2Y' '^^^ 3e-close for a proper strategy 
of B'. Note that the strategy of B' may depend on the state crgjjzv'^ since Pu as well 
as A's behavior are fixed, cr^- is also fixed. 
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It remains to argue that we can make B' independent of Pij. We use an elegant 
argument due to Crepeau and WuUschleger [CW08]. We know that for any Pjj there 
exists a B' (though depending on Pjj) as required. For any value u that U may take on, 
let then 

£u — Oy-L,f^ Q, Pu^U=u^ ^A,B' Pu%\U=u ) ■ 

Then, Pjj{u)eu = 3A;e. The e^s depend on Pjj, and thus we also write £u{Pu)- Consider 
now the function F which maps an arbitrary distribution Pjj for ?7 to a new distribution 
defined as F{Pu){u) := ^^^^^^^"^ Pu {u) . Function F is continuous and maps a non-empty, 
compact, convex set onto itself. Thus, by Brouwer's Fixed Point Theorem, it must have 
a fixed point: a distribution Pu with F{Pu) = Pjj, and thus £u{Pu) = 3/ce for any u. 
It follows that B' which works for that particular distribution Pu in fact works for any 
specific value for U and so for any distribution of U. □ 

6 Example: Secure Identification 

We show that the information-theoretic security definition proposed by Damgard et al. for 
their secure-identification quantum protocol in the bounded-quantum-storage model [DFSS07] 
implies security in our sense for a proper functionality J-id] this guarantees composabil- 
ity as in Theorem 5.1 for their protocol. In Section 7 and in Appendix B, we show the 
corresponding for the 1-2 OT scheme [DFR"'"07] and for other variants of OT. 

A secure identification scheme allows a user Alice to identify herself to server Bob 
by securely checking whether the supplied password agrees with the one stored by Bob. 
Specifically, on respective input strings Wa, Wb G W provided by Alice and Bob, the 
functionality outputs the bit Y = {Wa = Wb) to Bob. A dishonest server B' should learn 
essentially no information on Wa beyond that he can come up with a guess W' for Wa and 
learns whether W' = Wa or not, and similarly a dishonest user A' succeeds in convincing 
Bob essentially only if she guesses Wb correctly. If her guess is incorrect then the only 
thing she might learn is that her guess is incorrect. The corresponding ideal functionality 
is depicted in Figure 3. Note that if dishonest A' provides the "correct" input Wa = Wb, 
then J-jx) allows A' to learn this while she may still enforce Bob to reject (by setting the 
"override bit" D to 0). In Appendix C, we study a slightly stronger variant, which does 
not allow this somewhat unfair option for A'.^ 



Functionality J^m- Upon receiving strings Wa and Wb from user Alice and from 

7 

server Bob, J^m outputs the bit Wa = Wb to Bob. 

If Alice is dishonest, then she may input an additional "override bit" D. In this case, 
J^iD outputs the bit Wa = Wb to Alice and the bit {Wa = Wb) A D to Bob. 



Fig. 3. The Ideal Password-Based Identification FHinctionality. 

We recall the security definition from [DFSS07] for a secure identification scheme. The 
definition is in the framework described in Section 4.1; thus, it considers a single execution 

of the protocol with an arbitrary distribution for the honest players inputs and with no 
input for dishonest players, and security is defined by information-theoretic conditions on 
the resulting output states. For consistency with the above notation (and the notation 

^ The reason we study here the weaker version is that this corresponds to the security guaranteed by the 
definition proposed in [DFSS07], as we show. 



13 



used in [DFSS07]), Alice and Bob's inputs arc denoted by Wa and Wb, respectively, 
rather than U and V. Furthermore, note that honest Alice's output X is empty: X = $. 

Definition 6.1 (Secure Identification). A password-based quantum identification scheme 
is £-secure ( against 21 and *8) if the following properties hold. 

Correctness: For honest user Alice and honest server Bob, and for any joint input 
distribution PwaWb> learns whether their input is equal, except with probability e. 

Security for Alice: For any dishonest server B' G *8, and for any distribution of Wa, 
the resulting common output state PwaY' (augmented with Wa) is such that there 
exists a classical W' that is independent of Wa and such that 

PWaW'Y'\Wa¥=W' ~e PWa^W'^Y'\Wa¥=W' ) 

Security for Bob: For any dishonest user A' G 2t, and for any distribution of Wb, the 
resulting common output state PwbYX' ( augmented with Wb ) is such that there exists 
a classical W' independent ofWB, such that ifWB 7^ W' then Y = 1 with probability 
at most e, and 

PWbW'X'\W'^Wb PWb'^W'^X'\W'^Wb ■ 

A somewhat more natural functionality (without "override bit") can be achieved by 
slightly strengthening the requirements of Definition 6.1, see Appendix C. 

Proposition 6.2. A quantum protocol satisfying Definition 6.1 2>e-securely implements 
the functionality Fjd from Figure 3 according to Definition 4-1 ■ 

Proof. Correctness follows immediately. 

Security for Alice: Consider W' which is guaranteed to exist by Definition 6.1. Let us 
define V = W' and let Y be the bit Wa = W'. By the requirement of Definition 6.1, W' 
is independent of Alice's input Wa- Furthermore, we have that 

{Wa,W',9,Y) = {Wa,W',T,d{Wa,W')) 

by the definition of J- id- Finally, we note that Y completely determines the event £ : = 
{Wa 7^ W'} and therefore, we conclude using Lemma 2.3 that 

PWaIiW'YY' = Pri^A / W'] ■ PWaWVY'IIVat^W + Pri^A = W'] ■ PWaWYY'\Wa=W' 

= Vt[Wa / W'] ■ PwAm'YY'\WA^W' + Pr[WA = W'] ■ Pwa^W'Y^Y'\Wa=W' 

Pt[Wa / W'] ■ PWa^W'Y^Y'\Wa¥^W' + Pr[WA = W'] ■ PWa^W'Y^Y'\Wa=W' 
= PWa^W'Y^Y'- 

Security for Bob: Consider W' which is guaranteed to exist by Definition 6.1. Let us 
define U and X as follows. We let U = {W',D) where we define D = Y ii Wb = W', 
and else we choose D "freshly" to be with probabihty Pr[y = 0\Wb = W'] and to 
be 1 otherwise. Furthermore, we let X = (W' = Wb)- Recall that by the requirement of 
Definition 6.1, W' is independent of Bob's input Wb. Furthermore by construction, D = 
with probability Pr[y = 0|Wb = W'], independent of the value of Wb (and independent 
of whether Wb = W' or not). Thus, U is perfectly independent of Wb- 

Since by Definition 6.1 the probability for Bob to decide that the inputs are equal, 
Y = 1, does not exceed e if Wb 7^ W' , we have that 

PuWbXY = Pr[WB = W'] - PuWbXY\Wb=W' + Pr[WB ^ W'] - PuWbXY\Wb^W' 



14 



= Pi[Wb = W] ■ PuWbJ'id{U,Wb)\Wb=W' + Pr[VFB ^ W'] ■ PuWgXYlWBi^W' 

Pr[WB = W] ■ PuWbJ'id{U,Wb)\Wb=W' + PrfWfi ^ W'] ■ PuWb:Fid{U,Wb)\Wb¥^W' 

= PuWb:Fid{u,Wb) 
Finally, we have 

PWbYUXX' = Pt[Wb / W] ■ PWbYW'DXX'\Wbi^W' + Pl"[W^B = W\ ■ PWbYW'DXX'\Wb=W' 

In the case Wb = W, we have by construction that D = Y and therefore, we ob- 
tain that PwbYW'dxx'\Wb=W' = PWbY^W'd^xx'\Wb=W'- If / W, it follows from 
Definition 6.1 and the fact that D is sampled independently that PwbWDX'IW'j^Wb ~£ 
PWB*-*W'D^X'\w':j^WB - Furthermore, the bit X is fixed to in case Wb 7^ W and we only 
make an error of at most e assuming that Bob's output Y is always and therefore, 

PWbYW'DXX'IWbt^W ~£ PWBiY=0)W'D{X=0)X'\WB¥'W' 

~£ PWb(Y=0)^W'D{X=0)^X'\Wb¥'W' 
~£ PWbY<-*W'DX^X'\Wb¥=W' 

Putting things together, we obtain 
PWbYUXX' 

~3£ Pr[H^B ^ W] ■ PwbY<^W'DX^X'\Wb¥=W' + Pr[W^B 

= PWbY<-^{W' D)X<-*X' 5 

where we used Lemma 2.1 and 2.3 in the last step. 

□ 

7 Another Example: Randomized 1-2 Oblivious Transfer 

Figure 4 below shows the ideal functionality for sender-randomized 1-2 OT. It takes no 
input from Alice and an input bit C from Bob, and it outputs two random i-hit strings 
and Si to Alice and an ^-bit string Y which stands for the string of his choice Sc to 
Bob. Note that it allows a dishonest Alice to influence the distribution of 5*0 and Si, and 
a dishonest Bob to influence the distribution of Sc', but this is good enough for many 
applications, in particular to build a regular (non-randomized) 1-2 OT in the standard 
manner. 

We recall the security deflnition of randomized 1-2 OT from [DFR"'"07]. The deflnition 
is in the framework described in Section 4.1 and considers a single execution of the protocol 
with an arbitrary distribution for honest Bob's input bit and no input for the dishonest 
players. For consistency with common notation, we denote Bob's input V hy C (whereas 
Alice input is empty), and Alice's outputs hy X = {So, Si). 

Definition 7.1 (Rand 1-2 OT^). A randomized 1-2 OT protocol is e-secure (against 21 
and ^) if the following properties hold. 

Correctness: If Alice and Bob are honest, then for any distribution of Bob 's input C, 
So and Si are e-close to random and independent of C, and Y = Sc except with 

probability e. 

Security for Alice: For any dishonest B' G 55, the resulting common output state PsqSiY' 
allows a classical binary C such that PSi_cScCY' ~£ ^^'^ PScCY'- 



— W'] ■ PWbY^W'D<-*XX'\Wb=W' 
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Functionality J^i2Rot 

Honestly behaving Alice and Bob: Upon receiving no input from Alice and a choice bit 
C G {0, 1} from Bob, ^i2ROT samples two random and independent strings So, -Si G 
{0, ly, and sends So and Si to Alice and Sc to Bob. 

Honest Alice and dishonest Bob: Upon receiving no input from Alice and a bit C € 
{0, 1} and a string Sc G {0, 1}^ from Bob, .F12ROT samples a random independent 
string Si-c £ {0, 1}^, and sends So and Si to Alice. 

Dishonest Alice and honest Bob: Upon receiving two strings So, Si G {0,1}^ from 
Alice and a bit C G {0, 1} from Bob, .?^i2ROT sends Sc to Bob. 



Fig. 4. The ideal Randomized 1-2 OT functionality. 

Security for Bob: For any dishonest A' G 21, and for any distribution of C , the result- 
ing common output state px'CY (augmented with C) allows classical So, Si such that 
Pt[Y = Sc] > 1 - £ and psoSiX'C ~£ PSoSiX' ^ PC- 

Note that the correctness condition in Definition 7.1 is somewhat stronger than the cor- 
rectness condition in the definition proposed in [DFR+07], which merely requires that 
Y = Sc except with probability e. We point out that this difference is not crucial for 
Proposition 7.2 below to hold. Indeed, if y = Sc is guaranteed with high probability, 
then correctness as in Definition 7.1 can be bootstrapped from the security properties for 
dishonest players, albeit with some loss in the error probability: security for Bob guaran- 
tees that the distribution of {So, Si) is close to independent of C, and security for Alice 
guarantees that the distribution of 5*0, which is close to the distribution of So conditioned 
on C = 1 , is random and independent of Si (conditioned on C = 1 or not) , and similar for 
^i. Working out the details is tedious^° and does not give any new insight. In most cir- 
cumstances, such an argument is not even needed. For any given protocol, the correctness 
condition of Definition 4.1 can typically be trivially verified by inspection. 

Proposition 7.2. A quantum protocol satisfying Definition 7.1 Ae-securely implements 
^12R0T according to Definition 4-1 ■ 

Proof. Correctness follows immediately. 

Security for Alice: Consider C which is guaranteed to exist by Definition 7.1. Let us 
define V = (C, Sc) and y = 0. As Alice's input U is empty, V is trivially independent of U. 
Note that, PSi_cScCY' ~e PScCY' in particular implies that Psi_cScC ~£ "^'^PscC- 

Therefore it follows that 

{$,{C,Sc),{So,Si),$) (0, {C,Sc),J'i2KO'v{%,{C,Sc))) 

by the definition of J^i2ROT- Finally, by the third claim of Lemma 2.1, psi_cScCY' ~£ 
2~^I (g) pScCY' implies that 

PSi-cScCY' ~4£ PSi_c^ScC^Y' 

What makes it particularly tedious is that e.g. the random variable C that is guaranteed to exist by 
the security for Alice may a-priori differ from honest Bob's C, and one has to explicitly argue that they 
have to be close. 
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from which it follows, by Lemma 2.2, that 

P<li{SoSi){CScW ~4£ P0(5o5i)^(cS'c)0^y' • 

Security for Boh: Consider 5*0, which is guaranteed to exist by Definition 7.1. Let 
us define U = {Sq,Si) and X = 0. psoSiX'c ~£ PSoSiX' "X" pc in particular implies that 
PsoSiC ~e PsoSiPc- Furthermore, it is easy to see that P[Yj^Sc] < £ impHes 

{{So,Si),C,$,Y) ((S'o,5i),C,0,Sc) = ((.So,5i),C,.Fi2rot((5o,5i),C)) . 

Finally, by Lemma 2.1, pSoSiX'C ~£ PSqSiX' <^ PC in particular implies pcSoSiX' ~2£ 
Pc^SoSi'^x', from which follows by Lemma 2.2 that pcScSoSiX' ~2£ PcSc*^SoSi<^x'- 
Using P[Y^Sc] < £, this implies 

PCY{SoSi)$X' ~3£ PCY^(SoSi)$^X' ■ 
The last claim follows from the following observation. 

S{pCYSoSiX',PCY^SoSi^X') = ^ ^'CFSoSi (c, y. So, Si) <5(Px'*°*' , Px'*') 

cysQSi 

= P[Y = Sc]- Yl PcYSoS,\Y=Sci(^,y,so,si)6{p''P'\p'^n + P[Y^Sc]-rest 

cysQSi 

= P[Y = Sc] ■ J2 PcSoS,\Y=Scic, so, Si) S{p''P^^^s^,p'^n + P[Yy^Sc] ■ rest 

CSqSi 

where < rest < 1, and similarly for 6(^pcScSoSiX' , PCSc^SqSi^X') ■ Subtracting the two 
terms results in a value that is upper bounded by P[Y^Sc] < £ in absolute value. □ 

8 Conclusion 

We proposed a general security definition for quantum protocols in terms of simple 
quantum-information-theoretic conditions and showed that quantum protocols fulfilling 
the definition do their job as expected when used as subroutines in a larger classical pro- 
tocol. The restriction to classical "outer" protocols fits our currently limited ability for 
executing quantum protocols, but can also be appreciated in that our security conditions 
pose the minimal requirements for a quantum protocol to be useful beyond running it in 
isolation. 
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A Proofs 

A.l Proof of Lemma 2.1 

We show that px^Y^ZE ~£ Px^yz^e, the first claim tlien follows by triangle inequality. 
Since quantum operations do not increase the trace distance, tracing out register E in 
PXYZE and p'xyze •= Px^y^ze implies that 

PXYZ ~e Px^Y^Z = PXY ■ Pz\Y ■ 

By elementary properties of the trace distance, it follows that 
5{px^y^ze,Px^yz^e) = ^ PxY{x,y)5{Pz\Y{z\y)p¥ ^Pz\XY{Ax,y)pY) 

x,y,z 

= ^ XI PxY{x,y)\Pz\Y{z\y) - Pz\XYiz\x,y)\tT\pY\ = S{Px^Y^z,PxYz) <£■ 

The second claim follows by letting Y be "empty" . The third claim holds because by 
the triangle inequality, we have 

S{pxzE, Px <8) pze) < S{pxzE, I/l-^l ® Pze) + (g) pzE, Px <X) pze) < 2£: 

and we can then use the second claim. □ 

A.2 Proof of Lemma 2.2 

By elementary properties of the trace distance, 

S{Pxf{X,Y)YE, PXf{X,Y)^Y^E) = ^ Pxf{X,Y)Y{x, Z,y)5[p''^y , p\) 

x,z,y 

= ^PxY{x,y)d{p''^^,pl;) = 5{pxye,Px<-^y^e) <£■ 

□ 

A. 3 Proof of Lemma 2.3 

Let p = Pt[£] and p = Ft{£] and define the two sets ys = {y : Pv[£\Y = y] = 1} and 
ys = {y: Pv[S\Y = y] = l}. Then, 

px^Y^z = X Pxy{x, y)\x){x\ (g) \y){y\ (g) p^, 

x,y 

= Yl PxY{x,y)\x){x\®\y){y\® pI;+ ^ PxY{x,y)\x){x\^\y){y\^ p^ 

x,yeye x,yey-g 

= X P- PxY\£{x,y)\x){x\(S)\y){y\(S) p^^^^+ ^ P ' PxY\£i^'y)\^){^\ IvM P 
x,yeys x,yey^ 

= P ■ PX^Y^E\£ + P ■ Px^Y^E\£ ' 

where we used in the third equality that for y E ye, it follows from the assumption over 
the event that p^^ = and similarly for y G y^. □ 
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B Other Veiriants of Oblivious Transfer 

In this section, we give analogous "minimal" requirements for composability of other 
variants of oblivious transfer. It has been shown [Cre87] that all these variants of oblivious 
transfer are equivalent and universal for secure two-party function evaluation [Kil88]. In 
fact, the results of this paper show that if the variants are implemented by a quantum 
protocol according to our security definitions, these classical results still hold. 

B.l Regular (Non-Randomized) 1-2 OT 

Figure 5 shows the ideal functionality for the standard (non-randomized) l-out-of-2 
String-OT. It takes two input strings Sq and Si of £ bits each from Alice and an in- 
put bit C from Bob, and it outputs an £-hit string Y which stands for the string of his 
choice Sc to Bob. 



Functionality J^i20t: Upon receiving ^o, Si G {0, 1} from Alice and a choice bit 
C G {0, 1} from Bob, ^i20T sends Sc to Bob. 



Fig. 5. The ideal 1-2 OT functionality. 

The definition is in the framework described in Section 4.1 and considers a single 
execution of the protocol with an arbitrary distribution for honest Bob's input bit and no 
input for the dishonest players. For consistency with common notation, we denote Alice's 
input U by (S'o, Si) and Bob's input V by C. 

Definition B.l (1-2 OT^). A 1-2 OT protocol is £-secure if the following properties 
hold. 

Correctness: If Alice and Bob are honest, then for any joint distribution of Alice's inputs 
So, Si and Bob's input C, it holds that Bob's output Y = Sc except with probability e. 

Security for Alice: If Alice is honest, then for any dishonest Bob and any distribution 
of Alice's inputs So,Si, Alice does not get any output and the common output state 
PSoSiY' allows a classical binary C such that psoSiC ~£ PSqSi ® PC and PSi-cScCY' ~£ 
PSi^c'-^ScC^Y' ■ 

Security for Boh: If Bob is honest, then for any dishonest Alice and any distribution 
of Bob's input C, the common output state px'cv allows classical So, Si such that 
Pv[Y = Sc] > 1 - £ and psoSiX'C ~£ PSqSiX' ^ PC- 

Proposition B.2. A quantum protocol satisfying Definition B.l 3e-securely implements 
^120T according to Definition 4-1- 

Proof. Correctness follows immediately. 

Security for Alice: Consider C which is guaranteed to exist by Definition B.l. Let us 
define V = C and Y = Sc. By the first requirement in the definition, we have that Alice's 
input ^o, Si is e-close to independent of C. 

Furthermore, it holds by definition that 

iiSo,Si),C,i!),Sc) = iiSo,Si),C,J^i20TiiSo,Si),C)). 
Finally, by the second requirement in the definition and Lemma 2.2, we have that 

P{SoSi)CScY' ~£ PSoSi^CSc^Y' ■ 
Security for Bob: as in the proof of Proposition 7.2. □ 
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B.2 Fully Randomized 1-2 OT 

Figure 6 below shows the ideal functionality for fully randomized 1-2 String-OT (some- 
times also called Oblivious Key OK). It takes no input from the players and outputs two 
random i-h'it strings 5*0 and Si to Alice, a random choice bit C and Sc to Bob. Note 
that it allows a dishonest Alice to influence the distribution of Sq and , and a dishonest 
Bob to influence the distribution of Sc', but this is good enough for many applications, 
in particular to build a regular (non-randomized) 1-2 OT in the standard manner. 



Functionality J^i20k: 

Honestly behaving Alice and Bob: Upon receiving no input from Alice and Bob, .7-'i20K 
samples two random and independent strings Sq, Si {0, 1}^ and a choice bit C 
{0, 1}, and sends 5*0, Si to AHce and C, Sc to Bob. 

Honest Alice and dishonest Bob: Upon receiving no input from Alice and a bit C G 
{0, 1} and a string Sc € {0, 1}^ from Bob, J'-'i20K samples a random independent 
string Si-c {0) ^Y, and sends So and Si to Alice. 

Dishonest Alice and honest Bob: Upon receiving two strings So,Si G {0,1}^ from 
Alice and no input from Bob, J^i20K samples a random bit C {0, 1} and sends 
C, Sc to Bob. 



Fig. 6. The ideal Randomized 1-2 OT functionality. 

The following definition is in the framework described in Section 4.1 and considers 
a single execution of the protocol with no inputs for honest or dishonest players. For 
consistency with common notation, we denote Alice's output X by {So,Si) and Bob's 
output by {C,Y). 

Definition B.3 (Fully Randomized 1-2 OT^). A randomized 1-2 OT protocol is e- 
secure if the following properties hold. 

Correctness: If Alice and Bob are honest, then Sq, Si and C are e-close to random and 

independent, and Y = Sc except with probability e. 
Security for Alice: If Alice is honest, then for any dishonest Bob, the common output 

state psoSiY' allows a classical binary C such that pSi^cScCY' ~£ ® PScCV- 
Security for Bob: If Bob is honest, then for any dishonest Alice, the common output 

state px'CY allows classical So,Si such that Pr[y = Sc] > 1 — e and psqSiX'C ~£ 

PS^S^X' ® 1/2. 

Proposition B.4. A quantum protocol satisfying Definition B.3 Ae-securely implements 
^120K according to Definition 4-1- 

Proof. Correctness follows immediately. 
Security for Alice: as in Proposition 7.2. 

Security for Bob: Consider So, Si which is guaranteed to exist by Definition 7.1. Let us 
define Alice's input U = {Sq, Si) and Alice's output X = 0. The requirement psoSiX'C ~£ 
PSoSiX' (X'I/2 in particular implies that PsqSiC ~£ ^SoSiPu- Furthermore, it is easy to see 
that P[Y^Sc] < e implies 

((5o,5i),0,0,(C,y)) {{So,Si),$,%,{C,Sc)) ((.5o,-Si),0,J^i2rot((So,Si),0)) . 
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Finally, by Lemma 2.1, ps^^SiX'c ~£ /3SoSiX'«)I/2 implies pcSoSiX' ~4e Pc^5o5i^x', from 
which follows by Lemma 2.2 that pcScSoSiX' ~8£ PCSc^SoSi^X'- Using P[Y^Sc] < e, 
this implies 

P0{Cy)(5(,Si)0X' ^9e P0(Cy)4-»(SoS'i)0^X' • 
The last claim follows from the following observation. 

^{pCYSoSiX',PCY<^SoSi^X') = ^ PcYSoSi{c,y, So, Si) S{p'^f°^\ p^-^f^) 

cysQSi 

= P[Y = Sc]- J2 PcYSoS,\Y=Scic,y,so,si)d{pfr\p'^n + P[Y^Sc]-rest 

cysQSi 

= P[Y = Sc] ■ J2 PcSoS^\Y=Sci^, so, Si) <5(p^^?p=s^, + P[Yy^Sc] ■ rest 

CSQSl 

where < rest < 1, and similarly for 6(^pcScSoSiX' , PcSc^SqSi^X') ■ Subtracting the two 
terms results in a value that is upper bounded by P[Y^Sc] < £ in absolute value. □ 

B.3 Randomized Rabin OT 

Figure 7 shows the ideal functionality for (randomized) Rabin Oblivious Transfer. It 

samples a uniform random bit C G/j {0, 1} and a string S {0, 1}^. It outputs S to 
Ahce, C to Bob and in case C = 1, also S is output to Bob. If C = 0, Bob receives the 
all-0 string. 



Functionality J^^RabinOx: 

Honestly behaving Alice and Bob: Upon receiving no input from the players, ^RabinOT 
samples S G {0, 1}^ and C {0, 1} and sends X := S to Alice and C,Y := C ■ S to 
Bob. 

Honest Alice and dishonest Bob: Upon receiving no input from Alice and a string 
S G {0, ly from Bob, J^RabinOT samples a random independent bit C and outputs it 
to Bob. If C = 1, .^RabinOT sends X = S to Alice. If C = 0, J^RabinOT samples a new 

string S' Gi? {0, 1}^ and sends X = S' to AUce. 

Dishonest Alice and honest Bob: Upon receiving a string S G {0, 1}^ from Alice and 
no input from Bob, J^RabinOX samples a bit C Gij {0, 1} and sends C,C ■ S to Bob 
and no output to Alice. 



Fig. 7. The ideal Rabin OT functionality. 

The following definition is in the framework described in Section 4.1 and considers 
a single execution of the protocol with no inputs for honest or dishonest players. For 
consistency with common notation, we denote Bob's output by {C,Y). 

Definition B.5 (Rabin OT). A randomized Rabin-OT protocol is e-secure if the fol- 
lowing properties hold. 

Correctness: If Alice and Bob are honest, then X and C are e-close to random and 
independent and Y = C ■ X except with probability e. 
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Security for Alice: If Alice is honest, then for any dishonest Bob, the common output 
state pxY' allows a classical binary C such that pxc ~£ Px ® 1/2 and PxCY'\c=o ~£ 

1/2'^ <S) PCY'\C=0- 

Security for Bob: If Bob is honest, then for any dishonest Alice, the common output 
state px'CY allows a classical S such that Y = C ■ S except with probability e and 
PCSX' ~£ 1/2 <8) psx' ■ 

Proposition B.6. A quantum protocol satisfying Definition B.5 be-securely implements 
^RabinOT according to Definition 4-I- 

Proof. Correctness follows immediately. 

Security for Alice: Consider C which is guaranteed to exist by Definition B.5. Let us 
define Bob's input V := X if C = 1. In case (7 = 0, sample V G/j {0, 1}^. Let Bob's output 
he Y = {C,C -V). As Alice has no input J7 = 0, Bob's input V is trivially independent 
of U. Furthermore, the definition requires C to be e-close to independent from X and to 
completely random. In case C = 1, .^RabmOT outputs (1, Y) = {1,1-V) = (1, 1 -X) to Bob 
and X to Alice. In case C = 0, Bob receives (0, 0) and Alice's output X is independent 
of Bob's input V. Hence, 

(0, V, X, (C, C ■ V)) (0, y, J^RabinOT(0, V)) . 

Prom PxCY'\C=Q ~£ I/2^®Pcy |C=o follows by third claim of Lemma 2.1 that PxCY'\c=o ~4£ 
Px^c^Y'\c=Qi and as F is sampled at random, also PxvCY'\c={) ~4£ Px^vc^y'\c=q 
holds. It follows that 

PXV{C,C-V)Y> = Pr[C = 0] • PXV{C,C-V)Y'\C=0 + Pr[C = 1] • PxV{C,C-V)Y'\C=l 

= Pr[C = 0] • Pxv{C,C-V)Y'\c=o + Pr[C = 1] • Px<-*V{C,C-V)<-^Y'\C=1 

~4£ Pr[C = 0] • Px^V(C,C-V)^Y'\C=0 + Pr[C = 1] • Px^V{C,C-V)^Y'\C=l 

~£ PX*-*V{C,C-V)*-*Y' ) 

where we used Lemma 2.3 for the last approximation. 

Security for Bob: Consider S which is guaranteed to exist by Definition B.5. Let us 
define Alice's input to be [/:= S" and let Alice's output X be empty. As Bob does not 
have input 1/ = 0, Alice's U is trivially independent of V. Furthermore, since C is e-close 
to uniformly random and independent of S and Y = C ■ S except with probability e, we 
have 

{S, 0, 0, (C, Y)) «2£ {S, 0, .;^RabinOT(S, 0)) . 

Prom pcsx' ~£ 1/2 (8) psx' follows that pcsx' ~2£ PC ® PSX' and therefore by 
Lemma 2.1, pcsx' ^Ae Pc<-»5<-*x' • As y = C • S except with probability e, we have 
by Lemma 2.2 that 

P0CYS0X' ~5£ PCY^S^X' ■ 

□ 

C Secure Identification without Unfairness 

The goal of this section is to provide a slightly stronger functionality for secure identifica- 
tion than the one presented in Section 6. It is stronger in that we do not allow dishonest 
Alice to make Bob reject while she learns whether Wa = Wb or not, but we still allow 
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Functionality jFj^: Upon receiving strings Wa and Wb from user Alice and from 
server Bob, J^m outputs the bit Y = {Wa = Wb) to Bob. In case Alice is dishonest, 
she may choose Wa = -L (which never agrees with honest Bob's input), and (for any 
choice of Wa) the bit Y is also output to Alice. 



Fig. 8. The Ideal Password-Based Identification FYinctionality. 

Alice to make Bob reject all the time by inputting a symbol ± that never agrees with 
Bob's input, see Figure 8. In order to achieve this functionality, we have to impose a 
slightly stricter security definition than Definition 6.1. 

The definition is in the framework described in Section 4.1; thus, it considers a single 
execution of the protocol with an arbitrary distribution for the honest players inputs 
and with no input for dishonest players, and security is defined by information-theoretic 
conditions on the resulting output states. For consistency with the above notation (and 
the notation used in [DFSS07]), Alice and Bob's inputs are denoted by Wa and Wb, 
respectively, rather than U and V. Furthermore, note that honest Alice's output X is 
empty: X = $. 

Definition C.l (Secure Identification). A password-based quantum identification scheme 
is e-secure if the following properties hold. 

Correctness: For honest user Alice and honest server Bob, Bob learns whether their 

input is equal, except with probability e. 
Security for Alice: For any dishonest server B' G 53, and for any distribution of Wa, 

the resulting common output state PwaY' (augmented with Wa) is such that there 

exists a classical W' that is independent of Wa and such that 

PWaWY'\Wa^W' PWa^W'^Y'IWat^W' ) 

Security for Bob: For any dishonest user A' € 21, and for any distribution of Wb, the 
resulting common output state PwbYX' (augmented with Wb) is such that there exists 
a classical W' (possibly J-) independent of Wb, such that if Wb W' then Y = 1 
with probability at most e, and if Wb = W' , Bob's output is y = 1. Furthermore, we 
have that 

PWbW'X'\W'^Wb ~£ PWb^W'^X'\W'^Wb ■ 

The only difference to Definition 6.1 from [DFSS07] is that wc additionally require for the 
security for Bob, that he accepts in case that Wb = W' . This small change allows us to 
achieve a more natural functionality compared to the case where we leave undefined what 
happens in case Wb = W . Wc note that the protocol proposed in [DFSS07] fulfills also 
this strengthened Definition C.l. In Step 5 of their protocol, if dishonest Alice sends a 
string Z which is inconsistent with any of the possible strings Sj corresponding to Bob's 
passwords, W' is set to _L. This W' is independent of Wb and as Bob always rejects, 
dishonest Alice does not learn any additional information about Wb- 

Proposition C.2. A quantum protocol satisfying Definition C.l e-securely implements 
the functionality J^id from Figure 8 according to Definition 4-1- 

Proof. Correctness follows immediately 
Security for Alice: as in Proposition 6.2. 
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Security for Bob: Consider W' which is guaranteed to exist by Definition C.l. Let 
U = W' and X = (W' = Wb)- Recall that by the requirement of Definition C.l, W is 
independent of Bob's input Wb- 

Since by Definition 6.1 the probability for Bob to decide that the inputs are equal, 
Y = 1, does not exceed £ if Wb 7^ W', and Bob accepts, y = 1, if Wb = W', we have 
that 

Pw'WbXY = Pr[WB = W'] ■ Pw'WbXY\Wb=W' + Pr[W^B ^ W'] ■ Pw'WbXY\Wb^W' 

= Pr[WB = W'] ■ Pw'WbJ'id{W',Wb)\Wb=W' + Pt^[Wb + W'\ ■ Pw'WbXY\Wb+W' 

PrfVFfi = W'] ■ Pw'WbTid{W',Wb)\Wb=W' + PrfWs 7^ W'] ■ Pw'WBJ'iDiW' ,Wb)\Wbi^W' 
= Pw'WbJ'id{W',Wb) 
Finally, we have 

PWbYUXX' = Pt^[Wb ^ W'] ■ PWbYW'XX'\Wb¥^W' + Pr[W^B = W'] ■ PWbYW'XX'\Wb=W' 

In the case Wb = W', we have by construction that X = Y = 1 and therefore, we 
obtain that PwbYW'xx'\Wb=W' = PWbY^W'x*^x'\Wb=W'- If Wb ^ W', it follows from 
Definition C.l that PwbW'X'\W'^Wb ^£ PWb^W'^X'\W'^Wb - Furthermore, the bit X is 
fixed to in case Wb 7^ W' and we only make an error of at most £ assuming that Bob's 
output Y is always and therefore, 

PWbYW'XX'\Wb¥=W' ~e PWb{Y=0)W'{X=0)X'\Wb7^W' 

~e PWBiY=0)^W'iX=0)^X'\WB¥'W' 
~£ PWbY^W'X^X'IWbj^W 

Putting things together, we obtain 
PWbYUXX' 

~3£ PrfWs 7^ W'] ■ PwBy^w'x^x'\WB+'W' + PrfWfi = W'\ ■ PwbY^w'x*-^x'\Wb=w' 

= PWbY^W'X^X' , 

where we used Lemma 2.1 and 2.3 in the last step. '-' 
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